Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/11/2017
10:30 AM
Lance Spitzner
Lance Spitzner
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The 3 C's Of Security Awareness

Explaining the technical part of security comes easy for many of us. But the soft skills needed to change behavior are often sadly missing.

Over 80% of security awareness professionals have a background in either information security or information technology, according to SANS's 2016 Security Awareness Report. Less than 15% have a background in soft skills such as training, marketing, or communications. The technical part of awareness comes naturally, not so much the softer side of behavior change. 

It's one reason there is an uphill battle when it comes to building comprehensive awareness programs. Because cybersecurity professionals, including awareness leaders, are heavily steeped in technical skills, they understand what behaviors need to be changed but fall short in how they attempt to change those behaviors.

In a previous post, I described the "what" of a good security awareness program — what you should focus on and what makes a program effective. After analyzing scores of awareness program outcomes and working with hundreds of security awareness leaders in 2016, it's clear to me that we need to place a greater emphasis on how to change behavior and how to run a security awareness program in order to make awareness behavior stick.

The soft skills needed to change behavior and deliver key messages are critical to the success of an awareness program, starting with gaining executive-level support all the way to scrapping boring PowerPoint decks in favor of a personal story to better engage employees. To help awareness officers address this in 2017, I have put together the three C's of security awareness program success: communication, collaboration, and culture.

Communication
Ultimately, awareness is about effective communication. First we need to engage people and explain why they should care about cybersecurity. Then we need to communicate what we need them to do in simple terms and be sure people are able to exhibit those behaviors. Too many awareness professionals have been plagued with the curse of knowledge — the condition that happens when experts know something so well that they're terrible at communicating it precisely because they are experts.

Take Action: Fight the curse of knowledge at every turn and devote a percentage of time to improve how you communicate key awareness messages. A great place to start is to talk to your communications department and read the book Made to Stick by Chip and Dan Heath.

Collaboration
Security awareness touches everyone in the organization, so what you communicate and how you communicate to various stakeholders is critical to gain support, buy-in, and behavior change. In addition, establishing a solid program requires a vast number of different skills and coordination with different departments. For that reason, you'll need the ability to partner with various individuals and departments throughout your organization. Examples include working with communications to help engage employees, human resources to better understand your target groups, and legal and audit departments to ensure your program is compliant. The more people you partner with, the greater your chance for success.

Take Action: Create an advisory board made up of people from various departments who can help you build, maintain, and measure your awareness program from the beginning. Explore launching an ambassador program (employees who volunteer to who help promote cybersecurity) that can not only scale your resources but embed awareness throughout the organization.

Culture
Culture is going beyond just behavior and includes the perceptions, attitudes, and beliefs people have toward cybersecurity. Culture, and the process of incorporating emotion, can be a challenge for technical people to grasp. Your existing culture plays a key role in how you communicate and collaborate in your organization, and ultimately your success in changing behavior.

Outgoing cultures such as those found in technology companies often prefer humorous content they can watch and consume on their own schedule, while conservative cultures such as insurance, finance, and government often prefer more subdued or "professional" content and material that people can read or that can be delivered during office hours.

Take Action: Study your culture to understand the organizational values and beliefs that will inform your awareness program planning. Talk to people in your HR department; they often have the best understanding of your organization’s culture and how that may impact your awareness program.

Ultimately, your organization needs to leverage both technical skills and soft, human-centered skills to create a mature awareness program. Most security awareness professionals already understand the technical issues. But by addressing the 3 C's of awareness, either by developing your own skills or bringing in others who have those skills, you will go a long way toward changing behavior and your organization's culture.

Related Content:

 

Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClaJones
100%
0%
ClaJones,
User Rank: Strategist
1/12/2017 | 4:40:54 PM
One size fits all security training programs rarely work.
You must write/create a security training awareness program to fit your audience.  You and I might appreciate it, but too much technical information will cause those who don't have a firm grasp of these topics, to get glossy eyed and tune out the content.  
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
1/12/2017 | 4:34:03 PM
CISO/CMO: collaboration for better communications
As mentioned in this article, the key will be for the Security Team/CISO amd CMO/Marketing to collaborate on a communication plan.  From formal communication of an awareness program to highlighting via email security incidents that occurred in the company and how to avoid them. Having the support of the CEO/COO/President is always a plus and help shifting the culture towards security.
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
1/12/2017 | 2:01:15 PM
Re: a thought...
I agree! For instance, we know that printers are a huge target for hackers. How do you change the user behavior to make sure they are doing what they need to do when printing documents? How do you make sure all of IT is making sure that printers are set up carefully and that new printer purchases take into account the latest security protocols? 

--Karen Bannan for IDG and HP
lspitzner
100%
0%
lspitzner,
User Rank: Author
1/12/2017 | 12:18:26 PM
Re: a thought...
Ryan, I love sharing examples, unfortunately there are limits to what you can fill in a single article.  On of the best examples of seeing all three elements come together are Ambassador Programs, something growing quite fast in the Security Awareness community.  Organizations like Sony, Thomson Reuters and Diageo are outstanding examples.  I'll see if I can have them come on as Guest Bloggers  and share their stories.  
lspitzner
50%
50%
lspitzner,
User Rank: Author
1/12/2017 | 12:10:27 PM
Writing Content
Monica, you are absolutely correct, this is why collaboration is so key.  If you feel you may not be an effective communicator, lack creativity or are not sure how to best 'market' awareness turn to your advisory board.  Build a team to help advise you on how to communicate, how to engage, especially at an emotional level.  That is one of the things I love most about this job, just how much I continue to learn from others. - Lance
Ryanology
100%
0%
Ryanology,
User Rank: Apprentice
1/11/2017 | 11:22:45 AM
a thought...
On point and informative - well done! Including some real life examples would be helpful. :)
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...